VDB
GCVE-110-OSM-2026-5893
GCVE-110-OSM-2026-5893
Advisory PublishedCVSS 9.6/10
This package is a trojanized clone of the legitimate `base-x` library (cryptocoinjs/base-x). The `decode` function has been backdoored to silently POST every decoded string to a hardcoded Telegram bot (`7775457351:AAEM92rF8YltwV5EOvWsOPIfXMInbA5ltcA`, chat `-1002382353252`) via `api.telegram.org/bot.../sendMessage` on every invocation. Since `base-x` is commonly used for base58/cryptocurrency address decoding, this backdoor is specifically positioned to exfiltrate private keys, seeds, wallet addresses, or any other sensitive data passed through the decode function. The publisher `kryptodev` also maintains `base58-ts` and `tgnode`, suggesting a deliberate campaign targeting crypto-related packages with Telegram-based C2 infrastructure.
ENTRY
src/cjs/index.cjs (main: src/cjs/index.cjs)
DESTINATION
- reconstructed: https://api.telegram.org/bot7775457351:AAEM92rF8YltwV5EOvWsOPIfXMInbA5ltcA/sendMessage (primary, reconstructed) in src/cjs/index.cjs
- telegram-bot: 7775457351:AAEM92rF8YltwV5EOvWsOPIfXMInbA5ltcA (plaintext) in src/cjs/index.cjs
- telegram-bot: api.telegram.org/bot${token}/sendMessage`; (plaintext) in src/cjs/index.cjs
- domains: api.telegram.org (c2, plaintext)
OBFUSCATION
- recovered 2 urls, 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Reconstructed Obfuscated URL in src/cjs/index.cjs: "https://api.telegram.org/bot7775457351:AAEM92rF8YltwV5EOvWsOPIfXMInbA5ltcA/sendM..."
PAYLOAD FILES
src/cjs/index.cjs (+ src/esm/index.js)
INDICATORS (IOCs)
- domains: cdn.rawgit.com
- payloadFileHash: bdae45316dd613061618ecabde06f5011dfcdaf8514205773dc351b2cf0b5a64
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | base-x-ts | 5.0.4 (affected) | — |
Browse GCVE Records
72,409 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.